Syndication

I was unable to find a good place that describes how to create a simple
self-hosted email setup. The most surprising discovery was, how much already
works after:

apt-get install postfix dovecot-imapd

Right after having finished the installation I was able to receive email (but
only in in /var/mail in mbox format) and send email (bot not from any other
host). So while I expected a pretty complex setup, it turned out to boil down
to just adjusting some configuration parameters.

Postfix

The two interesting files to configure postfix are /etc/postfix/main.cf and
/etc/postfix/master.cf. A commented version of the former exists in
/usr/share/postfix/main.cf.dist. Alternatively, there is the ~600k word
strong man page postconf(5). The latter file is documented in master(5).

At this point, also make sure that the parameters smtpd_tls_cert_file and
smtpd_tls_key_file point to the right certificate and private key file. So
either change these values or replace the content of
/etc/ssl/certs/ssl-cert-snakeoil.pem and
/etc/ssl/private/ssl-cert-snakeoil.key.

The home_mailbox parameter sets the default path for incoming mail. Since
there is no leading slash, this puts mail into $HOME/Mail for each user. The
trailing slash is important as it specifies ``qmail-style delivery'' which
means maildir.

The default of the smtpd_recipient_restrictions parameter is
permit_mynetworks reject_unauth_destination so this just adds the
permit_sasl_authenticated option. This is necessary to allow users to send
email when they successfully verified their login through dovecot. The dovecot
login verification is activated through the smtpd_sasl_type and
smtpd_sasl_path parameters.

I found it necessary to set the smtp_helo_name parameter to the reverse DNS
of my server. This was necessary because many other email servers would only
accept email from a server with a valid reverse DNS entry. My hosting provider
charges USD 7.50 per month to change the default reverse DNS name, so the easy
solution is, to instead just adjust the name announced in the SMTP helo.

/etc/postfix/master.cf

The file master.cf is used to enable the submission service. The following
diff just removes the comment character from the appropriate section.

Dovecot

Since above configuration changes made postfix store email in a different
location and format than the default, dovecot has to be informed about these
changes as well. This is done in /etc/dovecot/conf.d/10-mail.conf. The second
configuration change enables postfix to authenticate users through dovecot in
/etc/dovecot/conf.d/10-master.conf. For SSL one should look into
/etc/dovecot/conf.d/10-ssl.conf and either adapt the parameters ssl_cert
and ssl_key or store the correct certificate and private key in
/etc/dovecot/dovecot.pem and /etc/dovecot/private/dovecot.pem,
respectively.

The dovecot-core package (which dovecot-imapd depends on) ships tons of
documentation. The file
/usr/share/doc/dovecot-core/dovecot/documentation.txt.gz gives an overview of
what resources are available. The path
/usr/share/doc/dovecot-core/dovecot/wiki contains a snapshot of the dovecot
wiki at http://wiki2.dovecot.org/. The example configurations seem to be the
same files as in /etc/ which are already well commented.

/etc/dovecot/conf.d/10-mail.conf

The following diff changes the default email location in /var/mail to a
maildir in ~/Mail as configured for postfix above.

Finishing up

Everything is done and now postfix and dovecot have to be informed about the
changes. There are many ways to do that. Either restart the services, reboot or
just do:

$ postfix reload
$ doveadm reload

SPF

$ apt-get install postfix-policyd-spf-python

/etc/postfix/main.cf

policy-spf_time_limit = 3600s

/etc/postfix/master.cf

policy-spf unix - n n - - spawn
user=nobody argv=/usr/bin/policyd-spf

DNS TXT record with value:

v=spf1 ip4:62.75.219.19 -all

/etc/postfix-policyd-spf-python/policyd-spf.conf

debugLevel = 1 defaultSeedOnly = 1

HELO_reject = SPF_Not_PassMail_From_reject = Fail

PermError_reject = FalseTempError_Defer = False

skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0//104,::1//128

FIXME: the skip_addresses field should also list all hosts that I get email
forwarded from. For example if I get my josch@debian.org email forwarded to
this server, then I should list the debian.org mail relay servers. A list of
these can be found by doing:

Otherwise, senders with an SPF record with only their own IP and a final -all
will see their mail rejected by the server. This is because the email was
forwarded by the debian.org relay but that IP was not in their SPF record.